Hello all,
Today I want to share with you a little article about QR codes. Maybe you saw this kind of codes before in some advertisements in the street, festival tickets, train passes or even flight tickets.
Some companies use this images to save information of their own clients, make redirections to websites and give access to restricted areas.
The problem this code has is that always the content is in plain text, like for example: boarding passes of airlines.
We are going to see the content of that QR and how generate our own fake boarding pass with a seat in Business Class (something quite interesting, because with some airline companies we will be able to get access to V.I.P. areas in airports).
Ok, ok, I know this is not new and another person has talked about it in Def Con 24 in 2016 and a lot of people have been talking about it since 2003, but you know… The problem has still not been resolved and I wanted to explain it a little bit more.
First, we are going to review which kind of codes the companies use to generate the boarding passes: PDF417 and Aztec. The first one commonly used by printed versions, the second one is more common in phone application:
Now we have already identify all the codes, we will need to download a scanner.
For Android, we could find some good scanners like https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=es Or for IOS https://itunes.apple.com/ie/app/qr-reader-for-iphone/id368494609?mt=8
Once we have the scanner, we will be able to scan as much boarding passes as we find in Instagram, Google, FB, etc. to see the content and structure of them.
For the Proof of Content, I have analysed the next boarding pass:
We can see that the boarding pass is in Spanish, but do not worry is just another awesome language you should learn if you want to retire with your pension in a warm country.
Anyway, inside of the QR we will see the next information.
M1FERRERO PRESA/JOSE I2TCRE MADDUBFR 3979 197Y012A0120 148>5181 7195BFR 00000000000002A405001234567F 1 N
To understand this format we do not need a Rosetta Stone, it is just enough with the “Bar Coded Boarding Pass” implementation guide of IATA. With a few Google Dorks we could find it easily
http://www-qa.iata.org/whatwedo/stb/Documents/BCBP-Implementation-Guide-5th-Edition-June-2016.pdf
This guide will show us many interesting characteristics of this standard, but specially will be very useful the next picture to understand better the QR.
was fascinated by the security block, but many companies still thinking they do not need it. Some of the companies have learned the lesson and they have started to sign with a PKI (public key infrastructure) as it is more secure.
With the table in a hand and a pint of Guinness in another, let us start to analyse the data that is more interesting to change.
Passenger name:
FERRERO PRESA/JOSE
Reference:
I2TCRE
Origin/Destiny of trip and airline company code:
MAD DUB FR
Flight number:
3979
Date of flight (month and day) in Julian calendar:
197
Type of compartment (economy class Y, first class F y business class J):
Y
Seat number:
012A
Sequence of check-in (120th person to do check-in)
0120
The rest of the flight and company information that we do not need now for what we want to do:
148>5181 7195BFR 00000000000002A405001234567F 1 N
Changed the data, we just need to generate another QR. We could use websites like https://www.free-barcode-generator.net/aztec/#az-text easily. Although if you have free time, you could create your own application, to generate your QR codes with this library https://github.com/zxing/zxing/wiki/Getting-Started-Developing
Finally, here we have an example with the modify data and resultant QR:
M1WHITE RABBIT/FOLLOW I2TCRE MADDUBFR 3979 197F001C0120 148>5181 7195BFR 00000000000002A405001234567F 1 N
Obviously, not all the scanners and systems where we have to pass through the airport are the same. This is something you have to investigate by yourself and we do not have interest in that if you do not want to end in jail. Thread lightly at use of this knowledge as I may lead to prosecution, I will not be held accountable of your use of this.
I am so sorry to tell you that I couldn’t made a real proof of concept in the airport where I had been, because would be illegal… but a friend of a friend ^^ has told me that food and champagne in the V.I.P. areas of the airports are overrated.
Colaborador: Pablo Lorenzo Pinar
https://es.linkedin.com/in/pablolorenzopinar
